os-upnp 1.5_5 - Not able to add port forwards

[MorningLightMountain713]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [x] The title contains the plugin to which this issue belongs

Describe the bug I upgraded to latest version. Port forwarding no longer works. This worked fine on os-upnp 1-5_4 opnsense version 23.7.9 with base and kernel 23.7.8. (I would downgrade but can't seem to get back to base 23.7.8, I reverted the kernel but it keeps the latest base)

To Reproduce On a client I run the following, and it usually opens a port:

davew@salad:~$ upnpc -a 192.168.44.10 14498 14498 tcp 600
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.44.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.44.1:2189/ctl/IPConn
Local LAN ip address : 192.168.44.10
GetSpecificPortMappingEntry() failed with code 714 (NoSuchEntryInArray)

However you can see above, it seems to add the port, but then fails to try and read the info. If I look at the gui, it seems to have added it, but it hasn't. See screenshot, you can see where I've added the same forward twice. (this shouldn't happen)

If I then run

davew@salad:~$ upnpc -L
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.44.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.44.1:2189/ctl/IPConn
Local LAN ip address : 192.168.44.10
 i protocol exPort->inAddr:inPort description remoteHost leaseTime

It doesn't see the port forward, even though the gui says it's there.

Running miniupnpd with -d this is the output:

root@OPNonsense:~ # /usr/local/sbin/miniupnpd -d -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.
miniupnpd 18578 - - version 2.3.3 starting UPnP-IGD ext if ovpnc1 BOOTID=1704530886
miniupnpd 18578 - - HTTP listening on port 2189
miniupnpd 18578 - - no HTTP IPv6 address, disabling IPv6
miniupnpd 18578 - - level=0 type=20
miniupnpd 18578 - - sdl_index = 1  vtnet0:26.de.4a.b8.c0.b
miniupnpd 18578 - - ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 (ver=1)
miniupnpd 18578 - - SSDP M-SEARCH from 192.168.44.10:55756 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
miniupnpd 18578 - - Single search found
miniupnpd 18578 - - SendSSDPResponse(): 0 bytes to 192.168.44.10:55756 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:309d5874-e90c-98d9-d8b1-7d90bc9d69e::urn:schemas-upnp-org:device:InternetGatewayDevice:1
EXT:
SERVER: FreeBSD/13.2-RELEASE-p7 UPnP/1.1 MiniUPnPd/2.3.3
LOCATION: http://192.168.44.1:2189/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1704530886
BOOTID.UPNP.ORG: 1704530886
CONFIGID.UPNP.ORG: 1337

miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58496 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58512 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58528 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58534 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58536 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd 18578 - - AddPortMapping: ext port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc leaseduration=600 rhost=
miniupnpd 18578 - - UPnP permission rule 0 matched : port mapping accepted
miniupnpd 18578 - - Check protocol tcp for port 2222 on ext_if ovpnc1 10.0.2.2, 0202000A
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58536 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58534 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58528 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58512 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58496 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:2189 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:22 692010ac:63494 <=> 2222 0202000a:2222
miniupnpd 18578 - - 0100007f:953 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:80 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:443 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 0100007f:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - redirecting port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58540 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetSpecificPortMappingEntry
miniupnpd 18578 - - Returning UPnPError 714: NoSuchEntryInArray

Expected behavior Run the command and a port is forwarded

Screenshots See above screenshot

Relevant log files See above miniupnpd logs

Additional context NA

Environment

os-upnp 1-5_5 opnsense 23.7.11 kernel 23.7.10

[MorningLightMountain713]

Of note, I have another box, running the exact same config, but on the above mentioned prior versions - working fine. As a test, I'd like to revert back to that firmware. If someone could let me know how to downgrade the base package, I'll try that and see if I can get it working again.

I downgraded the kernel with opnsense-update -kr 23.7.8 but that only did the kernel, not the base

[MorningLightMountain713]

I uninstalled the os-upnp plugin and reinstalled it and now I get this:

root@OPNonsense:~ # /usr/local/sbin/miniupnpd -d -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pid
miniupnpd 9122 - - version 2.3.3 starting UPnP-IGD ext if ovpnc1 BOOTID=1704534859
miniupnpd 9122 - - HTTP listening on port 2189
miniupnpd 9122 - - no HTTP IPv6 address, disabling IPv6
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - level=0 type=20
miniupnpd 9122 - - sdl_index = 1  vtnet0:26.de.4a.b8.c0.b
miniupnpd 9122 - - ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 (ver=1)
miniupnpd 9122 - - SSDP M-SEARCH from 192.168.44.10:42181 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
miniupnpd 9122 - - Single search found
miniupnpd 9122 - - SendSSDPResponse(): 0 bytes to 192.168.44.10:42181 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:309d5874-e90c-98d9-d8b1-7d90bc9d69e::urn:schemas-upnp-org:device:InternetGatewayDevice:1
EXT:
SERVER: FreeBSD/13.2-RELEASE-p7 UPnP/1.1 MiniUPnPd/2.3.3
LOCATION: http://192.168.44.1:2189/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1704534859
BOOTID.UPNP.ORG: 1704534859
CONFIGID.UPNP.ORG: 1337

miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47308 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47324 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47336 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47338 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47348 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd 9122 - - AddPortMapping: ext port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc leaseduration=600 rhost=
miniupnpd 9122 - - UPnP permission rule 0 matched : port mapping accepted
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - Check protocol tcp for port 2222 on ext_if ovpnc1 10.0.2.2, 0202000A
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47348 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47338 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47336 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47324 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47308 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:2189 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:22 692010ac:64749 <=> 2222 0202000a:2222
miniupnpd 9122 - - 0100007f:953 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:80 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:443 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 0100007f:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - redirecting port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc
miniupnpd 9122 - - ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
miniupnpd 9122 - - Returning UPnPError 501: ActionFailed
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument

[MorningLightMountain713]

I rebooted, now back to the original issue

[fichtner]

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... https://github.com/opnsense/ports/commit/ea2bfadb1410934a2d9 -> https://github.com/freebsd/freebsd-ports/commit/81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

[MorningLightMountain713]

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... opnsense/ports@ea2bfadb1410934a2d9 -> freebsd/freebsd-ports@81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

Hey! I ran the above command - now my forwards are working again! Awesome! Just for my learnings, can you explain what it did please?

Thanks!!

[fichtner]

The command reinstalled the miniupnpd package of OPNsense version 23.7.10 which doesn’t use libpfctl as it did for many years. 😉

Cheers, Franco

[fichtner]

If anyone wants to submit an upstream bug report be my guest... https://bugs.freebsd.org

I'm done dealing with libpfctl breakage.

[MorningLightMountain713]

If anyone wants to submit an upstream bug report be my guest... https://bugs.freebsd.org

I'm done dealing with libpfctl breakage.

I'll get this logged and fight the good fight upstream!

[gagx2]

Hey! I have exactly the same issue and your opnsense-revert command fixed this for me too!
Thank you @fichtner

[xmaka]

Thank you! I will stay tuned for updates

[wuyue92tree]

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... opnsense/ports@ea2bfadb1410934a2d9 -> freebsd/freebsd-ports@81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

my opensense version is 24.1.7, Is there an suitable miniupnpd version which doesn’t use libpfctl? Thank you.

[fichtner]

# opnsense-revert -z miniupnpd

This is a snapshot release of 2.3.6 to try.